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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  INFORMATION  SYSTEMS  AGENCY 

SUBJECT:  External  Quality  Control  Review  of  the  Defense  Information  Systems  Agency  Audit 
Organization  (Report  No.  DODIG-2012-116) 

We  are  providing  this  report  for  your  information  and  use.  We  have  reviewed  the  system  of 
quality  control  for  the  audit  organization  of  the  Defense  Information  Systems  Agency 
Office  of  Inspector  General  (DIS  A IG)  in  effect  for  the  period  ended  March  3 1 ,  20 1 1 .  A  system 
of  quality  control  for  DISA’s  audit  organization  encompasses  the  audit  organization’s  leadership, 
emphasis  on  performing  high  quality  work,  and  policies  and  procedures  established  to  provide 
reasonable  assurance  of  compliance  with  generally  accepted  government  auditing  standards 
(GAGAS).  The  DIS  A  IG  is  responsible  for  designing  a  system  of  quality  control  and  complying 
with  its  system  to  provide  DISA  IG  management  with  reasonable  assurance  that  its  audits  are 
performed  and  reported  on  in  accordance  with  GAGAS  in  all  material  respects. 

Our  review  was  conducted  in  accordance  with  GAGAS  and  guidelines  established  by  the 
Council  of  the  Inspectors  General  on  Integrity  and  Efficiency.  We  tested  the  DISA  IG  audit 
organization’s  system  of  quality  control  to  the  extent  we  considered  appropriate..  GAGAS 
require  that  an  audit  organization  perfomiing  audits  in  accordance  with  GAGAS  have  an 
appropriate  internal  quality  control  system  in  place  and  undergo  an  external  quality  control 
review  at  least  once  every  3  years  by  reviewers  independent  of  the  audit  organization  being 
reviewed.  An  audit  organization’s  quality  control  policies  and  procedures  should  be 
appropriately  comprehensive  and  suitably  designed  to  provide  reasonable  assurance  that  they 
meet  GAGAS  requirements  for  quality  control. 

Federal  audit  organizations  can  receive  a  rating  of pass,  pass  with  deficiencies,  or  fail.  In  our 
opinion,  the  DISA  IG  audit  organization’s  system  of  quality  control  for  audits  was  suitably 
designed  in  accordance  with  quality  standards  established  by  GAGAS;  however,  we  identified 
significant  deficiencies  that  existed  in  the  audit  organization’s  compliance  with  its  system  of 
quality  control.  The  significant  deficiencies  identified  do  not  provide  DISA  IG  management 
with  reasonable  assurance  of  performing  and  reporting  in  conformi  ty  with  GAGAS  in  all 
material  aspects.  Accordingly,  as  a  result  of  the  significant  deficiencies  described  in 
Appendix  B,  we  are  issuing  a  fail  opinion  on  the  DISA  IG  audit  organization’s  system  of  quality 
control  used  on  audits  for  the  review  period  ended  March  3 1,  201 1 . 

Appendix  A  discusses  our  review  of  the  DISA  IG  system  of  quality  control  and 

Appendix  B  contains  matters  that  resulted  in  the  fail  opinion.  In  addition.  Appendix  C  contains 

comments  and  observations  where  the  DISA  IG  audit  organization  can  improve  its  quality 

control  program  related  to  auditing  practices.  Appendix  D  contains  a  summary  of  the  results  of 

our  interviews  with  DISA  IG  audit  staff.  Appendix  E  contains  the  scope  and  methodology  of  the 

review. 


We  appreciate  the  courtesies  extended  to  the  audit  staff.  For  additional  information  on  this 
report,  please  contact  Ms,  Carolyn  R.  Davis  at  (703)  604-8877  (DSN  664-8877). 


Randolph  R.  Stone 
Deputy  Inspector  General 
for  Policy  and  Oversight 


Introduction 


Defense  Information  Systems  Agency 

The  Defense  Information  Systems  Agency  (DISA)  is  a  combat  support  agency  that  engineers  and 
provides  command  and  control  capabilities  and  enterprise  infrastructure  to  continuously  operate 
and  assure  a  global  net-centric  enterprise  in  direct  support  to  joint  warfighters,  national  level 
leaders,  and  other  mission  and  coalition  partners  across  the  full  spectrum  of  operations.  DISA  is 
headquartered  at  Fort  Meade,  Maryland  and  employs  about  16,000  military  and  civilian 
employees,  and  their  contractor  partners. 

DISA  IG  Audit  Organization 

The  DISA  Office  of  the  Inspector  General  (IG)  is  an  independent  office  within  DISA  that 
conducts,  supervises,  monitors,  and  initiates  audits,  inspections,  and  investigations  relating  to 
programs  and  operations  of  DISA.  DISA  Instruction  100-45-1,  “Inspector  General  of  the 
Defense  Information  Systems  Agency,”  dated  April  11,  2008,  establishes  the  mission  of  the 
Office  of  the  Inspector  General  and  delineates  its  responsibilities,  functions,  authorities,  and 
relationships.  The  DISA  IG  audit  organization  is  located  at  Headquarters  and  has  a  regional 
office  at  Scott  Air  Force  Base  in  Illinois.  The  audit  organization  promotes  continuous 
improvement  in  management  controls  by  conducting  audits  and  reviews  of  DISA  operations  and 
financial  activities  to  evaluate  operational  efficiency  and  effectiveness,  and  performing  follow¬ 
up  procedures  for  prior  audit  recommendations.  The  IG  reports  to  the  Director/Vice  Director, 
DISA.  Additional  details  on  the  DISA  IG  audit  organization  and  the  scope  and  methodology  for 
this  review  are  contained  at  Appendix  E. 
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Appendix  A.  System  of  Quality  Control  Was 
Suitably  Designed 

With  the  exception  of  two  areas,  the  system  of  quality  control  for  the  DISA  IG  audit  organization 
was  suitably  designed.  The  DISA  IG  Audit  Handbook  (the  Audit  Handbook)  contained  policies 
and  procedures  that  established  internal  guidance  and  audit  requirements,  and  if  properly 
followed,  would  provide  reasonable  assurance  that  GAGAS  would  be  met. 

The  DISA  IG  audit  organization  performed  work  and  issued  reports  covered  in  our  review 
pursuant  to  the  July  2007  version  of  the  Audit  Handbook.  The  Audit  Handbook  was  updated  in 
March  2011  to  reflect  current  guidance  as  well  as  practical  audit  techniques  and  innovative 
strategies. 

The  two  areas  where  the  Audit  Handbook  did  not  contain  specific  policies  and  procedures  for 
ensuring  that  audits  and  attestation  engagements  comply  with  GAGAS  were: 

•  The  Audit  Handbook  did  not  contain  procedures  for  notifying  the  entity  management 
when  an  impairment  to  independence  is  identified  after  the  audit  report  is  issued. 

•  The  Audit  Handbook  did  not  contain  procedures  to  ensure  that  the  continuing  education 
and  training  requirements  for  the  agency's  audit  staff  are  met.  Particularly,  the  Audit 
Handbook  did  not  contain  policies  and  procedures  on  how  the  audit  organization 
documents  and  tracks  formal  continuing  professional  education  and  training. 

Adding  policies  and  procedures  to  the  Audit  Handbook  to  address  these  two  areas  is  important  to 
ensure  auditors  are  fully  aware  of  their  responsibilities  while  perfonning  work  under  GAGAS. 

Recommendation,  Management  Comments,  and  Our 
Response 

Recommendation 

We  recommend  that  the  Director,  DISA: 

1.  Update  the  Audit  Handbook  to  include  policies  and  procedures  that: 

a.  Explain  the  process  for  notifying  the  entity  management  when  an  impairment  to 
independence  is  identified  after  the  audit  report  is  issued. 

b.  Explain  how  the  audit  organization  documents  and  tracks  formal  continuing 
professional  education  and  training. 

Management  Comments 

The  Inspector  General,  DISA  concurred.  DISA  will  update  the  Audit  Handbook  to  include 
explanations  for  the  process  for  notifying  the  entity  management  when  an  impairment  to 
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independence  is  identified  after  the  audit  report  is  issued  and  how  the  audit  organization 
documents  and  tracks  formal  continuing  professional  education  and  training. 


Our  Response 

The  management  comments  are  responsive.  When  completed,  we  request  the  Inspector  General, 
DISA,  to  provide  us  with  a  copy  of  the  revised  Audit  Handbook. 
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Appendix  B.  Significant  Deficiencies  that  Provide 
the  Basis  for  the  Fail  Opinion 

We  identified  significant  deficiencies  that  existed  in  the  audit  organization’s  compliance  with  its 
system  of  quality  control.  GAGAS  3.51  states  that  an  audit  organization’s  system  of  quality 
control  encompasses  the  audit  organization’s  leadership,  emphasis  on  perfonning  high  quality 
work,  and  the  audit  organization’s  policies  and  procedures  designed  to  provide  reasonable 
assurance  of  complying  with  professional  standards  and  applicable  legal  and  regulatory 
requirements.  The  significant  deficiencies  identified  do  not  provide  the  DISA  IG  audit 
organization  with  reasonable  assurance  of  performing  and  reporting  in  confonnity  with  generally 
accepted  government  auditing  standards  (GAGAS)  in  all  material  respects.  Therefore,  we  are 
issuing  a  fail  opinion  on  their  external  quality  control  review. 

Significant  deficiencies  affecting  our  opinion  on  the  DISA  IG  audit  organization’s  compliance 
with  its  system  of  quality  control  are: 

•  Annual  quality  assurance  reviews  were  not  always  perfonned  and  those  perfonned  were 
not  effective; 

•  Nonaudit  services  were  performed  without  an  evaluation  of  potential  independence 
impairments; 

•  DISA  did  not  exercise  sufficient  professional  judgment  as  evidenced  by  substantive 
noncompliance  with  GAGAS  and  their  system  of  quality  control  on  all  four  audit 
assignments  reviewed; 

•  There  was  a  lack  of  evidence  of  initial  and  final  supervisory  reviews  of  workpapers 
significant  to  supporting  findings  and  conclusions; 

•  Auditors  did  not  obtain  sufficient  and  appropriate  audit  evidence  to  support  findings  and 
conclusions;  and 

•  A  letter  report  asserted  a  nonaudit  service  was  conducted  in  accordance  with  GAGAS. 

These  significant  deficiencies  as  identified  above  provide  the  basis  for  the  opinion  and  our 
concern  about  the  audit  organization’s  inability  to  comply  with  the  DISA  IG  quality  control 
system  to  provide  reasonable  assurance  of  compliance  with  GAGAS. 

Implementing  the  recommendations  identified  in  this  report  would  assist  the  DISA  IG’s  efforts 
in  improving  their  audit  organization’s  system  of  quality  control  thereby  helping  to  ensure 
compliance  with  GAGAS  requirements. 

Quality  Assurance  Program 

Annual  Quality  Assurance  Reviews  Not  Always  Performed  and  Those 
Performed  Deemed  Not  Effective 

The  DISA  IG  audit  organization  did  not  meet  GAGAS  and  Audit  Handbook  requirements  to 
perfonn  annual  internal  quality  assurance  reviews  of  their  audits.  Quality  assurance  reviews 
were  perfonned  in  November  2008  and  February  2011,  but  there  were  no  reviews  conducted 
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during  2010.  The  February  2011  review  was  perfonned  in  preparation  of  our  review  of  the 
DISA  IG  audit  operations  being  discussed  in  this  report. 1  GAGAS  3.53f  requires  an  audit 
organization  to  perfonn  an  ongoing,  periodic  assessment  of  work  completed  on  audits  and 
attestation  engagements  designed  to  provide  management  of  the  audit  organization  with 
reasonable  assurance  that  the  policies  and  procedures  related  to  the  system  of  quality  control  are 
suitably  designed  and  operating  effectively  in  practice.  GAGAS  3.54  states  the  audit 
organization  should  analyze  and  summarize  the  results  of  its  monitoring  procedures  at  least 
annually,  with  identification  of  any  systemic  issues  needing  improvement,  along  with 
recommendations  for  corrective  action.  The  Audit  Handbook  states  the  Branch  Chief  will 
perform  annual  internal  quality  assurance  reviews  of  audits  using  guidance  adapted  from  the 
President’s  Council  on  Integrity  and  Efficiency  (PCIE)  Guide  for  Conducting  External  Quality 
Control  Reviews  of  the  Audit  Operations  of  Offices  of  Inspector  General.2 

Also,  the  DISA  IG  quality  assurance  program  was  not  implemented  in  a  manner  to  have 
maximum  effectiveness.  During  our  analysis  of  the  quality  assurance  reviews  that  were 
perfonned  in  November  2008  and  February  201 1,  we  found  that  some  of  the  issues  identified  by 
DISA  IG  auditors  were  similar  to  those  identified  during  this  external  quality  control  review 
(refer  to  sections  below).  We  also  concluded  that  some  of  the  issues  the  DISA  IG  auditors 
identified  were  not  integral  to  ensure  that  audit  policies  and  procedures  related  to  the  system  of 
quality  control  were  suitably  designed  and  operating  effectively  in  practice.  In  addition,  the 
audit  organization  did  not  take  measures  to  correct  problems  and  practices  that  could  help  ensure 
compliance  with  applicable  professional  standards  and  quality  control  policies  and  procedures 
for  GAGAS  audits.  Lastly,  both  reviews  were  completed  by  a  senior  auditor,  even  though  the 
Audit  Handbook  states  that  Branch  Chiefs  will  perform  the  annual  reviews. 

November  2008  Quality  Assurance  Review 

There  were  five  audits  included  in  the  quality  assurance  review.  The  review  identified  systemic 
issues  for  all  five  audits;  however,  no  recommendations  were  provided  for  corrective  actions.  To 
address  the  issues  identified,  the  Inspector  General,  Deputy  Inspector  General,  Assistant 
Inspector  General  for  Auditing,  and  Branch  Chiefs  discussed  each  of  the  problem  areas  in  some 
detail  to  detennine  a  course  of  action,  but  took  measures  only  to  improve  the  audit  planning 
process,  and  held  a  meeting  with  all  of  the  auditors  to  ensure  the  auditors  fully  understood  the 
areas  needing  improvement. 

Also,  some  of  the  issues  identified  by  the  DISA  IG  quality  assurance  reviewer  were  similar  to 
those  identified  during  this  external  quality  control  review.  For  example,  the  DISA  IG  quality 
assurance  reviewer  noted  that: 

•  for  three  of  the  five  projects,  the  audit  plan  was  not  updated  to  reflect  changes  made  to 
the  plan  during  the  audit; 


1  The  February  2011  review  was  entitled  “Mock  Peer  Review”. 

2  The  Inspector  General  Reform  Act  of  2008  changed  the  PCIE  and  Executive  Council  on  Integrity  and  Efficiency 
(ECIE)  to  the  Council  of  Inspectors  General  on  Integrity  and  Efficiency  (CIGIE). 
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•  for  two  of  the  five  projects,  the  audit  report  did  not  include  a  description  of  the  sampling 
design  and  why  it  was  chosen  when  sampling  significantly  supported  the  auditors’ 
findings,  conclusions,  or  recommendations;  and 

•  for  one  of  the  five  projects,  the  audit  report  did  not  clearly  explain  the  audit’s  scope. 

In  addition,  we  detennined  that  part  of  the  quality  assurance  review  was  conducted  using 
outdated  professional  standards.  Specifically,  the  review  was  performed  using  the  2003  version 
of  GAGAS,  even  though  one  of  the  five  audits  began  after  January  1,  2008.  The  July  2007 
revision  of  GAGAS  superseded  the  2003  revision  and  became  effective  for  performance  audits 
beginning  on  or  after  January  1,  2008,  and  for  financial  audits  for  periods  beginning  on  or  after 
January  1,  2008. 

February  2011  Quality  Assurance  Review 

There  were  three  audits  included  in  the  quality  assurance  review.  According  to  the  DISA  IG,  the 
review  was  perfonned  in  preparation  of  the  DOD  OIG  external  quality  control  review.  Also,  two 
of  the  three  findings  and  recommendations  the  DISA  IG  presented  were  not  vital  to  ensure 
the  audit  organization  was  complying  with  its  system  of  quality  control  and  GAGAS.  The 
findings  and  recommendations  would  not  provide  reasonable  assurance  that  the  audit 
organization  is  following  applicable  auditing  standards  and  has  established  and  is  following 
adequate  audit  policies  and  procedures.  The  DISA  IG’s  findings  were: 

•  the  Audit  Handbook  did  not  contain  an  organization  chart,  training  matrix,  or 
hiring/training  policies  and  procedures  applicable  to  5 1 1  series; 

•  lack  of  electronic  workpapers  impeded  the  review  and  management  control  process  of  the 
Mock  Peer  Review;  and 

•  some  discrepancy  between  numbering  of  workpapers. 

Furthennore,  of  the  three  audits  reviewed  as  part  of  the  DISA  IG’s  quality  assurance  review,  one 
was  selected  and  examined  by  the  DOD  OIG  as  part  of  this  external  quality  control  review.  It 
was  the  Audit  of  Travel  Vouchers  Through  the  Defense  Travel  System.  The  DOD  OIG  review 
team’s  assessment  disclosed  deficiencies  that  the  DISA  IG  did  not.  Specifically,  the  deficiencies 
included: 

•  the  audit  plan  was  not  updated  to  reflect  changes  made  to  the  plan  during  the  audit; 

•  the  audit  team  did  not  develop  the  elements  of  a  finding  necessary  to  address  the  audit 
objectives  (did  not  perform  procedures  to  identify  the  reason  or  explanation  for  a 
condition  that  was  identified); 

•  a  finding  in  the  audit  report  was  inadequate  (the  effect  was  not  adequately  stated); 

•  the  audit  report  did  not  clearly  explain  the  audit’s  scope,  including  the  kinds  and  sources 
of  evidence  used; 

•  the  audit  report  did  not  clearly  explain  the  criteria  used;  and 

•  the  independent  reference  review  (IRR)  certification  for  the  final  report  was  not  signed 
by  the  Assistant  Inspector  General  for  Auditing  (AIGA). 
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Recommendation,  Management  Comments,  and  Our 
Response 

Recommendation 

We  recommend  that  the  Director,  DISA: 

2.  Establish  a  2-year  plan  for  both  audit  offices  to  review  audits  for  compliance  with 
internal  quality  assurance  policies  and  procedures  and  GAGAS. 

Management  Comments 

The  Inspector  General,  DISA  concurred.  The  DISA  IG  audit  organization  will  conduct  its 
annual  quality  assurance  assessment  in  compliance  with  GAGAS  and  the  revised  Audit 
Handbook.  Due  to  the  small  size  of  the  Audit  Division,  an  internal  auditor  will  perform  the 
quality  assurance  assessments,  and  the  Audit  Handbook  will  be  updated  to  reflect  this  change. 

Our  Response 

The  management  comments  are  responsive.  When  completed,  we  request  the  Inspector  General, 
DISA,  to  provide  us  with  a  copy  of  the  revised  Audit  Handbook. 


Nonaudit  Services 

Nonaudit  Services  Performed  With  No  Evaluation  of  Potential 
Independence  Impairments 

During  the  period  under  review,  the  DISA  IG  audit  organization  performed  three  nonaudit 
services  and  no  fonnal  documentation  was  prepared  for  evaluating  potential  independence 
impairments  for  any  of  the  nonaudit  services.  As  a  safeguard  to  ensuring  that  independence  is 
not  impaired  by  performing  a  nonaudit  service,  GAGAS  3.30  states  the  audit  organization  should 
document  its  consideration  of  the  nonaudit  services,  including  its  conclusions  about  the  impact 
on  independence.  The  Audit  Handbook  states  that  documentation  for  nonaudit  services  must 
include  evidence  of  analysis  showing  that  the  seven  safeguards  to  independence  were  satisfied. 
The  seven  safeguards  are: 

•  document  rationale  that  providing  the  nonaudit  service  does  not  violate  the  two 
overarching  principles3; 

•  establish  and  document  an  understanding  with  the  audited  entity  regarding  the  objectives, 
scope  of  work,  and  product  or  deliverables  of  the  nonaudit  service,  including  an 
understanding  that  management  is  responsible  for  the  results  of  the  service; 


3  The  DISA  IG  Audit  Handbook  is  referring  to  the  two  overarching  principles  which  are  identified  in  GAGAS  3.22 
(July  2007  Version  of  GAGAS).  The  two  overarching  principles  are  (1)  audit  organizations  must  not  provide 
nonaudit  services  that  involve  performing  management  functions  or  making  management  decisions  and  (2)  audit 
organizations  must  not  audit  their  own  work  or  provide  nonaudit  services  in  situations  in  which  the  nonaudit 
services  are  significant  or  material  to  the  subject  matter  of  the  audits. 
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•  preclude  personnel  who  perfonn  nonaudit  services  from  perfonning  any  related  audit 
work  (can  be  waived  if  less  than  40  hours  of  work  is  perfonned); 

•  ensure  that  the  scope  and  extent  of  audit  work  is  not  reduced  beyond  the  level  that  would 
be  appropriate  if  another  unrelated  party  performed  the  nonaudit  work; 

•  establish  a  quality  control  system  that  includes  policies  and  procedures  to  consider  the 
effect  on  ongoing,  planned,  and  future  audits  and  require  a  documented  understanding 
with  the  audited  entity  management; 

•  communicate  to  the  audited  entity  management  that  the  audit  organization  will  not  be 
able  to  perform  subsequent  related  audit  work;  and 

•  disclose  related  nonaudit  service  to  peer  reviewers,  and  make  available  the  project 
documentation  required. 


Professional  Judgment 

Failure  to  Exercise  Sufficient  Professional  Judgment 

GAGAS  3.3 1  states  that  auditors  must  use  professional  judgment  in  planning  and  performing 
audits  and  in  reporting  the  results.  GAGAS  3.35  states  that  using  professional  judgment  in  all 
aspects  of  carrying  out  their  professional  responsibilities,  including  following  the  independence 
standards  and  maintaining  appropriate  quality  control  over  the  assignment  process  is  essential  to 
perfonning  and  reporting  on  an  audit.  In  addition  to  the  noncompliances  in  planning,  perfonning 
and  reporting  in  each  of  the  four  audits  reviewed,  we  also  found  noncompliances  in  3  of  the  4 
audits  in  the  independence  standards  area  and  in  each  of  the  4  audits  in  the  quality  control 
standards  area.  The  Audit  Handbook  states  that  all  auditors  are  responsible  for  complying  with 
GAGAS  while  carrying  out  their  audit  work  and  must  justify  any  departures  from  GAGAS.  We 
detennined  that  the  DISA  IG  audit  organization  did  not  exercise  professional  judgment  due  to 
the  array  of  noncompliances  found  in  the  majority  of  auditing  standards  areas  including  quality 
control  and  assurance,  supervision,  evidence,  documentation,  reporting,  independence,  planning, 
and  the  use  and  application  of  GAGAS.  The  GAGAS  areas  where  the  audit  organization  lacked 
professional  judgment  are  included  in  the  table  below  and  discussed  in  detail  throughout  this 
report. 
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DISA  IG  Audit  Organization’s  Noncompliances  with  GAGAS  and  System  of  Quality 

Control 


Audits 
Reviewed 
(By  Report 
Number) 

Independence 

Quality 

Control 

Planning 

Perfonning: 

Audit 

Evidence  and 
Documentation 

Performing: 

Supervision 

Reporting 

2011-02, 

Compliance 

with 

Requirements 
for  Item 
Unique 
Identification 
(IUID) 

Clauses  in 

Supply 

Contracts 

X 

X 

X 

X 

X 

X 

2011-01, 

Operational 

Support 

Systems 

Issues 

X 

X 

X 

X 

X 

2009-06, 

Travel 

Vouchers 

Through 

DTS 

X 

X 

X 

X 

2009-01, 
Incoming 
MIPRs  at 
DITCO  Scott 

X 

X 

X 

X 

The  table  above  depicts  both  significant  deficiencies  and  deficiencies  in  multiple  standards  areas 
which  evidences  a  lack  of  professional  judgment  as  defined  in  GAGAS  3.3 1  and  3.35.  While  the 
significant  deficiencies  associated  with  the  DISA  IG  audit  organization's  noncompliance  with  its 
system  of  quality  control  serve  as  the  basis  for  the  fail  opinion,  this  table  also  includes 
noncompliances  discussed  in  Appendix  C  to  capture  the  lack  of  professional  judgment  in  all 
aspects  related  to  the  professional  responsibilities  of  DISA  auditors.  We  evaluated  professional 
judgment  across  the  four  audit  projects  reviewed,  and  the  deficiencies  coupled  with  the  lack  of 
an  adequate  quality  assurance  program  and  issues  related  to  nonaudit  services  from  an 
independence  and  reporting  perspective. 
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Supervision 


There  was  No  Evidence  of  Initial  or  Final  Supervisory  Reviews  of 
Workpapers  that  Supported  Findings  and  Conclusions 

For  one  of  the  four  projects  reviewed,  we  detennined  that  several  GAGAS  and  Audit 
Handbook  requirements  pertaining  to  supervision  were  not  followed  because  there  was  no 
evidence  of  initial  or  final  supervisory  reviews  of  the  audit  work  perfonned  during  the 
fieldwork  phase.  For  the  “Audit  of  DISA  Compliance  with  Requirements  for  IUID  Clauses  in 
Supply  Contracts,”  Report  No.  2011-02,  there  was  no  evidence  of  initial  supervisory  reviews 
for  the  workpapers  prepared  to  support  the  first  audit  finding  and  conclusions  contained  in  the 
audit  report  and  no  evidence  of  final  supervisory  reviews  for  the  workpapers  prepared  to 
support  the  second  audit  finding  and  conclusions  contained  in  the  audit  report. 

GAGAS  7.52  states  that  audit  supervisors  or  those  designated  to  supervise  auditors  must 
properly  supervise  audit  staff  and  GAGAS  7.80c  states  that  auditors  should  document  evidence 
of  supervisory  review,  before  the  audit  report  is  issued,  of  the  work  performed  that  supports 
findings,  conclusions,  and  recommendations  contained  in  the  audit  report.  Further,  GAGAS  7.79 
states  that  the  process  of  preparing  and  reviewing  audit  documentation  contributes  to  the  quality 
of  an  audit.  Audit  documentation  serves  to:  (1)  provide  the  principal  support  for  the  auditors’ 
report;  (2)  aid  auditors  in  conducting  and  supervising  the  audit;  and  (3)  allow  for  the  review  of 
audit  quality.  In  addition  to  GAGAS,  the  Audit  Handbook  states  the  first  and  primary  element 
for  ensuring  the  quality  of  audits  is  supervisory  review  of  the  project  documentation  and 
supervisory  review  should  be  evident  throughout  the  audit  phase.  The  Audit  Handbook  also 
states  that  supervisory  signatures  or  initials  on  documentation,  throughout  the  audit,  will  be 
considered  sufficient  documentary  evidence  meeting  the  supervision  fieldwork  standard. 

We  found  no  evidence  of  any  supervisory  reviews  for  the  50  workpapers  that  detailed  the  audit 
team’s  analysis  of  the  50  sample  items  tested  for  the  first  finding.  Also,  for  the  second  finding, 
of  the  29  analysis  and  summary  workpapers  prepared  to  support  the  testing  of  all  3 18  sample 
items,  there  was  no  evidence  of  final  supervisory  reviews.  We  found  that  after  their  initial 
reviews,  supervisors  provided  comments  to  the  preparer  of  the  workpapers,  but  there  was  no 
evidence  that  supervisors  reviewed  the  workpapers  again  to  detennine  whether  the  actions  taken 
by  the  preparer  were  sufficient. 

Furthennore,  supervisors  did  not  complete  the  IRR  process  for  the  audit.  During  the  IRR 
process  for  the  draft  report,  it  was  noted  by  the  reviewer  that  the  majority  of  the  workpapers  were 
not  reviewed  and  signed  by  the  supervisors.  This  IRR  deficiency  was  never  corrected  and  the 
supervisors  did  not  sign  off  on  the  IRR  certification. 

Additional  Deficiency  in  Audit  Supervision 

For  the  Audit  of  Operational  Support  Systems  Issues,  we  identified  where  a  working  paper 
supporting  the  findings,  conclusions,  and  recommendations  did  not  include  evidence  of 
supervisory  review  and  approval  prior  to  final  report  issuance.  Specifically,  there  was  no 
documentation  of  supervisory  review  for  the  summary  workpaper  that  supported  the  second 
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finding.  Overall,  there  was  evidence  of  supervisory  reviews  throughout  the  audit,  but  this 
deficiency  was  noted  due  to  the  significance  of  the  workpaper  to  the  audit  report. 


Audit  Evidence  and  Documentation 

Auditors  Did  Not  Obtain  Sufficient  and  Appropriate  Audit  Evidence 

For  the  “Audit  of  DISA  Compliance  with  Requirements  for  IUID  Clauses  in  Supply  Contracts,” 
Report  No.  2011-02,  the  auditors  did  not  obtain  sufficient,  appropriate  evidence  to  provide  a 
reasonable  basis  for  their  findings  and  conclusions.  GAGAS  7.55  states  auditors  must  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  their  findings  and  conclusions, 
and  GAGAS  7.56  states  the  concept  of  sufficient,  appropriate  evidence  is  integral  to  an  audit. 

The  Audit  Handbook  states  that  the  information  and  evidence  assembled  and  the  conclusion 
developed  must  form  a  sound  basis  for  the  findings  and  recommendations  and,  therefore,  must  be 
supported  by  sufficient,  competent,  and  relevant  evidence.  Also,  the  Audit  Handbook  states  a 
record  of  the  evidence  should  be  in  the  fonn  of  project  documentation. 

For  the  IUID  audit,  93  percent  of  the  testing  results  for  the  second  finding  were  not  supported  by 
sufficient  and  appropriate  documentation.  Specifically,  of  the  287  serial  numbers/assets  tested  to 
detennine  whether  they  were  registered  in  a  database,  257  were  found  not  to  be  registered,  and 
even  though  database  extracts  were  available  for  these  exceptions,  the  audit  team  did  not  include 
this  information  in  the  audit  project  file.4  Also,  there  was  no  consistency  pertaining  to  the 
documentation  that  was  maintained  as  evidence.  For  example,  of  the  30  serial  numbers/assets 
found  to  be  registered,  19  were  supported  by  printouts  from  the  database.  In  addition,  in  some 
instances,  the  audit  team  used  e-mails  with  handwritten  notes  as  supporting  documentation.5 
The  auditors  wrote  “Yes”  and  “No”  on  the  e-mails  to  state  whether  or  not  a  serial  number  was 
registered.  GAGAS  A7.02  (Appendix  I)  states  that  the  strength  and  weakness  of  each  form  of 
evidence  depends  on  the  facts  and  circumstances  associated  with  the  evidence  and  professional 
judgment  in  the  context  of  the  audit  objectives.  Documentary  evidence,  such  as  database 
extracts,  is  a  stronger  form  of  evidence. 

Due  to  the  absence  of  sufficient  and  appropriate  audit  evidence,  we  determined  that  the  report’s 
conclusions  were  not  adequately  supported.  For  future  audits,  DISA  IG  auditors  should  ensure 
that  in  assessing  evidence,  they  evaluate  whether  the  evidence  taken  as  a  whole  is  sufficient  and 
appropriate  for  addressing  the  audit  objectives  and  supporting  findings  and  conclusions. 


4  Database  extracts  stating  "No  Records  Found"  were  available  if  serial  numbers/assets  were  not  registered. 

5  The  e-mails  were  correspondences  where  the  auditors  requested  and/or  received  the  serial  numbers. 
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Reporting 


Letter  Report  Asserted  a  Nonaudit  Service  Was  Conducted  in 
Accordance  with  GAGAS 

The  DISA  IG  issued  a  Letter  Report  to  discuss  the  results  of  a  nonaudit  service  and  included  the 
unmodified  GAGAS  compliance  statement  in  the  report,  which  violated  GAGAS  1.33.  GAGAS 
1.33  states  that  auditors  must  not  report  that  a  nonaudit  service  was  conducted  in  accordance 
with  GAGAS.  Further,  the  Audit  Handbook  states  that  when  the  Assistant  IG  issues  a  report  on 
a  nonaudit  service,  the  report  must  clearly  indicate  that  the  work  was  not  done  according  to 
GAGAS. 

The  Letter  Report  was  issued  for  the  Data  Mining  of  DISA  Government  Travel  Card  Program 
(Project  No.  2010-H-301)  in  August  2010.  The  project  initially  began  as  an  audit,  but  senior 
management  decided  to  change  the  project  to  a  review  due  to  problems  in  correctly  correlating 
data  used.  According  to  the  Assistant  Inspector  General  for  Auditing,  DISA  IG  auditors  found 
the  data  received  from  a  particular  source  to  be  unreliable  because  some  infonnation  was  missing 
from  the  database.  Also,  DISA  IG  auditors  found  causes  for  some  of  the  omissions,  but  not  all 
of  them.  Because  using  the  particular  database  would  result  in  false  positives,  DISA  IG  auditors 
did  not  report  any  findings  or  recommendations. 

The  DISA  IG  Audit  Handbook  does  not  contain  policies  and  procedures  for  issuing  a  Letter 
Report.  This  is  the  only  instance  where  the  DISA  IG  issued  a  Letter  Report. 

Recommendation,  Management  Comments,  and  Our 
Response 

Recommendation 

We  recommend  that  the  Director,  DISA: 

3.  Issue  a  memorandum  to  the  recipient  of  the  Letter  Report:  Data  Mining  of  DISA 
Government  Travel  Card  Program  (Project  No.  2010-H-301),  August  10,  2010,  to 
state  that  the  nonaudit  service  provided  was  not  performed  in  accordance  with 
GAGAS. 

Management  Comments 

The  Inspector  General,  DISA  concurred.  A  memorandum  to  the  recipient  of  the  Letter  Report: 
Data  Mining  of  DISA  Government  Travel  Card  Program  (Project  No.  2010-H-301), 

August  10,  2010  will  be  issued  to  state  that  the  nonaudit  service  provided  was  not  perfonned  in 
accordance  with  GAGAS. 

Our  Response 

The  management  comments  are  responsive.  When  completed,  we  request  the  Inspector 
General,  DISA,  to  provide  us  with  a  copy  of  the  memorandum  that  was  issued. 
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Appendix  C.  GAGAS  Noncompliances 
Warranting  Disclosure  Due  to  Their  Importance 
to  the  Quality  Control  System 

The  DISA  IG  audit  organization’s  perfonnance  during  the  audits  showed  evidence  of 
noncompliance  in  five  additional  GAGAS  areas  pertaining  to  audit  evidence  and  documentation, 
reporting,  independence,  planning,  and  quality  control.  These  live  areas  of  noncompliance  were 
not  considered  to  be  significant  and  did  not  affect  the  opinion  rendered,  but  due  to  their  relative 
importance  to  the  audit  organization’s  system  of  quality  control,  they  warrant  disclosure. 

For  each  of  the  live  areas,  the  auditors  did  not: 

•  audit  evidence  and  documentation 

o  properly  develop  the  elements  of  a  finding; 

•  reporting 

o  adequately  present  the  elements  of  a  finding,  and 
o  adequately  explain  the  audit’s  scope  and  methodology; 

•  independence 

o  complete  a  Statement  of  Independence,  and 
o  assess  the  independence  of  a  specialist; 

•  planning 

o  update  audit  programs  to  reflect  changes, 
o  obtain  an  understanding  of  the  qualifications  of  a  specialist,  and 
o  approve  audit  plans  in  accordance  with  procedures  established  in  the  quality 
control  system;  and 

•  quality  control 

o  comply  with  independent  reference  review  policies  and  procedures. 

All  Elements  of  a  Finding  Were  Not  Sufficiently  Developed 

For  the  Audit  of  Travel  Vouchers  Through  the  Defense  Travel  System,  we  identified  a 
deficiency  where  the  audit  evidence  and  documentation  was  not  sufficient  to  address  the  audit 
objectives  and  to  support  the  findings  and  conclusions.  Specifically,  the  auditors  did  not 
properly  develop  the  elements  of  a  finding  necessary  to  address  the  audit  objectives. 

GAGAS  7.72  states  auditors  should  plan  and  perform  procedures  to  develop  the  elements  of  a 
finding  necessary  to  address  the  audit  objectives,  and  a  finding  or  set  of  findings  is  complete  to 
the  extent  that  the  audit  objectives  are  addressed.  The  Audit  Handbook  states  that  during  the 
fieldwork  phase  of  a  performance  audit,  the  team  should  collect,  analyze,  interpret,  and 
document  the  information  and  evidence  needed  to  accomplish  the  audit  objectives  and  to  support 
the  audit  results  and  conclusions. 

For  the  Audit  of  Travel  Vouchers  through  the  Defense  Travel  System,  a  secondary  objective  was 
to  determine  whether  vouchers  had  required  supporting  documents  and  expenses  were  supported 
by  receipts  when  required.  The  audit  team  did  not  perfonn  procedures  to  identify  the  reason  or 
explanation  for  a  condition  nor  establish  a  clear,  logical  link  to  establish  the  impact  or  potential 
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impact  of  the  difference  between  the  situation  that  existed  and  the  required  or  desired  state.  For 
example,  one  of  the  conditions  that  existed  was  that  travel  vouchers  (38  of  196  travel  vouchers) 
within  the  travel  system  were  missing  required  receipts;  travelers  sought  payments  totaling 
approximately  $28,600  in  travel  expenses  that  were  not  substantiated.  It  was  implied  by  the 
recommendation  in  the  audit  report  that  the  travel  receipts  were  missing  because  they  were  not 
properly  uploaded  into  the  system  by  the  travelers.  There  was  no  evidence  in  the  workpapers  to 
indicate  that  DISA  IG  auditors  evaluated  whether  travelers  did  not  comply  with  the  requirements 
for  uploading  travel  receipts,  nor  was  it  confirmed  that  travelers  failed  to  properly  upload  the 
travel  receipts  into  the  system.  A  root  or  underlying  cause  for  the  missing  receipts  was  never 
supported. 


Reporting 

Findings  in  Audit  Reports  Were  Inadequate 

DISA  IG’s  audit  reports  were  not  presented  with  a  clear  and  concise  summarization  of  the  audit 
findings  and  conclusions.  For  three  of  the  four  projects  we  reviewed  (the  Audit  of  Operational 
Support  System  Issues,  the  Audit  of  Travel  Vouchers  through  DTS,  and  the  Audit  of  Incoming 
MIPRs  at  DITCO  Scott),  the  audit  report  contained  findings  which  were  not  adequately 
developed.  GAGAS  8.14  states  clearly  developed  findings  assist  management  or  oversight 
officials  of  the  audited  entity  in  understanding  the  need  for  taking  corrective  action.  The  Audit 
Handbook  states  that  the  finding  summary  paragraphs  should  summarize  the  finding  by 
highlighting  condition,  cause,  and  effect;  be  concise;  and  give  the  reader  a  general  understanding 
of  the  problem(s)  and  foreshadow  the  need  for  recommended  action(s). 

For  the  Audit  of  Operational  Support  Systems  Issues,  two  of  the  three  findings’  elements  were 
not  sufficiently  developed.  For  example,  there  was  no  effect  provided  for  Finding  B;  the  audit 
team  did  not  describe  the  consequences  of  the  actions  taken,  particularly  when  the  results 
showed  variation  from  regulations.  In  Finding  C,  the  condition  was  actually  the  cause  and  the 
effect  was  the  condition.  Specifically,  the  audit  report  stated  the  following: 
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Finding  C:  Circumstances  of  Netcool  Software  Acquisition  were 
Wasteful 

NS8  initiated  a  purchase  request  for  Micromuse  Netcool  Software  (Netcool 
software)  in  September  2006,  prior  to  completing  the  required  architectural 
design  and  implementing  strategy  (Condition).  Thus,  NS8  expended  more  than 
three  years  of  funds  in  unused  licenses  and  maintenance  fees,  prior  to  installing 
the  Netcool  software  in  June  2008  and  making  the  software  operational  in 
December  2009  (Effect).  These  conditions  occurred  because  NS8  originally 
sought  to  avoid  losing  $724,256  in  procurement  funds  set  to  expire  in  FY  2006. 

As  a  result,  NS8  expended  $3,684,129  for  Netcool  Software  licenses  and  annual 
maintenance  fees  for  FY  2006  through  FY  2009  for  software  that  went  unused 
from  its  acquisition  in  FY  2007  to  June  2008  (Effect).  This  purchase  did  not 
provide  the  best  value  for  the  Government  and  precluded  DISA  from  expending 
these  procurement  funds  on  other  validated  requirements. 

For  the  Audit  of  Travel  Vouchers  Through  the  Defense  Travel  System,  one  of  the  four  findings 
was  not  sufficiently  developed.  Specifically,  the  effect  was  not  adequately  stated  in  Finding 
Three.  The  audit  report  stated  that  because  individuals  were  not  able  to  provide  copies  of 
documentation  detailing  their  job-related  duties  and  responsibilities,  they  may  not  know  how  to 
properly  perfonn  their  duties.  A  more  appropriate  effect  would  have  been  that  the  individuals 
may  not  know  what  duties  they  are  to  perfonn.  Since  the  effect  may  be  used  to  demonstrate  the 
need  for  corrective  action  in  response  to  identified  problems  or  relevant  risks,  auditors  should 
ensure  that  the  effect  is  concise. 

For  the  Audit  of  Incoming  MIPRs  at  DITCO  Scott,  both  of  the  finding  summary  paragraphs  did 
not  include  the  causes  and  effects.  While  the  causes  and  effects  were  sometimes  identified  in  the 
following  discussion  sections  related  to  the  findings,  omission  of  the  cause  and  effect  in  the 
finding  summary  paragraphs  did  not  meet  Audit  Handbook  requirements.  According  to  the 
Regional  IG  at  DISA,  the  summary  finding  paragraphs  for  the  audit  report  were  prepared  in 
accordance  with  guidance  received  from  senior  management  in  October  2008.  Senior 
management  presented  a  new  fonnat  as  to  how  the  summary  finding  paragraph  should  be 
constructed,  which  did  not  include  the  cause  and  effect.  Instead,  the  cause  and  effect  were  to  be 
included  in  the  sub-findings.  The  July  2007  version  of  the  DISA  IG  Audit  Handbook  was  never 
updated  to  include  this  new  guidance. 

The  Audit’s  Scope  and  Methodology  Was  Inadequately  Explained 

The  DISA  IG  did  not  adequately  explain  the  audit’s  scope  and  methodology  in  the  audit  report 
for  two  of  the  four  projects  we  reviewed.  Specifically,  the  audit  reports  did  not  clearly  explain: 

•  the  audit’s  scope,  including  the  relationship  between  the  population  (universe)  and  the 
items  tested  (sample  size); 

•  the  audit’s  scope,  including  the  kinds  and  sources  of  evidence  used; 

•  how  the  audit’s  methodology  and  completed  audit  work  supports  the  audit  objectives, 
including  the  criteria  used;  and/or 

•  how  the  audit’s  methodology  and  completed  audit  work  support  the  audit  objectives, 
including  when  the  sampling  significantly  supports  the  auditors’  findings,  conclusions,  or 
recommendations,  a  description  of  the  sampling  design  and  why  it  was  chosen. 
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GAGAS  8.11  states  that  auditors  should  describe  the  scope  of  the  work  performed  and  any 
limitations,  including  issues  that  would  be  relevant  to  likely  users,  so  that  they  could  reasonably 
interpret  the  findings,  conclusions,  and  recommendations  in  the  report  without  being  misled. 

The  Audit  Handbook  states  that  the  report  must  address  the  objectives,  scope,  and  methodology 
or  approach  used  in  conducting  the  audit.  The  scope  and  methodology  used  for  achieving  the 
audit  objectives  are  usually  included  in  Appendix  A  of  the  audit  report.  In  addition,  if  sampling 
was  used,  the  team  should  describe  the  sample  design  and  why  it  was  chosen.  The  description 
should  include  the  size  of  the  sample  and  the  dollar  value  associated  with  it,  if  appropriate.  They 
should  also  fully  discuss  sampling  plan  and  sample  results,  but  avoid  presenting  complex 
statistical  analyses  and  formulas.  Further,  the  Audit  Handbook  states  GAGAS  requires  that  the 
team  should  explain  the  evidence  gathering  and  analytical  techniques  in  sufficient  detail  to  allow 
knowledgeable  users  of  their  reports  to  understand  how  the  auditors  answered  the  audit 
objective.  Specific  examples  of  the  deficiencies  in  explaining  the  audit’s  scope  and  methodology 
are  detailed  in  the  table  that  follows. 
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Audit  Project 

Listing  of  Deficiencies  in  Explaining  the  Audit’s  Scope  and 

Methodology 

Audit  of  Compliance 
with  Requirements  for 
IUID  Clauses  in  Supply 
Contracts  (Project  No. 
2010-H-304) 

•  The  specific  number  of  contracts  (20)  used  for  the  second 
finding  were  not  mentioned  in  Appendix  A.  Also,  auditors 
did  not  clearly  explain  whether  the  20  contracts  were  part 
of  the  50  contracts  used  in  the  first  finding. 

•  The  Contracting  Officer  Representative/Task  Monitor 
database  used  to  verify  training  requirements  was  not 
identified  in  Appendix  A  as  kinds  and  sources  of  evidence 
used.  A  review  of  the  database  was  completed  as  part  of 
Finding  B.  The  auditors  found  that  some  of  the 

Contracting  Officer  Representatives/Task  Monitors  had  not 
completed  mandatory  training. 

•  For  the  second  finding,  Appendix  A  did  not  describe  the 
sample  designs  or  why  they  were  chosen. 

Audit  of  Travel 
Vouchers  Through  the 
Defense  Travel  System 
(Project  No.  2009-H- 
301) 

•  Appointment  records  and  training  documents  obtained  and 
reviewed  were  not  identified  in  Appendix  A  as  kinds  and 
sources  of  evidence  used.  The  review  of  these  documents 
was  discussed  in  Finding  Three.  Specifically,  the  auditors 
found  that  Authorizing  Officials  and  Certifying  Officials 
did  not  maintain  copies  of  appointment  letters  as  required 
by  the  DoD  Financial  Management  Regulation.  Also,  the 
Authorizing  Officials  and  Certifying  Officials  did  not 
provide  requested  training  documentation  so  that  the 
auditors  could  verify  that  training  requirements,  as 
described  in  Public  Law  104-106,  were  met. 

•  Public  Law  104-106  was  not  properly  defined  in  the  audit 
report  (Finding  Three).  This  criteria  should  have  been 
defined  and  supported  in  the  report  itself,  not  referenced  in 
another  criteria  (Defense  Travel  Management  Office  Guide 
[DTMO]).  Public  Law  104-106  is  the  overarching  criteria 
and  the  DTMO  Guide  implements  it. 

Independence 

Auditors  and  Specialist  Did  Not  Certify  their  Independence 

For  two  of  the  four  audits  we  reviewed,  two  of  the  eight  auditors  assigned  to  the  projects  did  not 
complete  a  Statement  of  Independence.  Also,  for  one  of  the  four  audits,  the  audit  team  did  not 
ensure  that  a  statistician  completed  a  Statement  of  Independence.  GAGAS  3.02  states  that  in  all 
matters  relating  to  the  audit  work,  the  individual  auditor  must  be  free  from  personal,  external, 
and  organizational  impairments  to  independence.  GAGAS  3.05  states  when  auditors  use  the 
work  of  a  specialist,  auditors  should  assess  the  specialist’s  ability  to  perform  the  work  and  report 
results  impartially  as  it  relates  to  their  relationship  with  the  program  or  entity  under  audit.  The 
Audit  Handbook  states  that  all  employees,  including  technical  experts  assigned  to  audits  must 
certify  their  independence  or  impairment  to  independence  for  each  project.  Whether  or  not  a 
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person  is  directly  charging  time  to  a  project,  that  person  must  certify  their  independence  by 
completing  the  Statement  of  Independence. 

For  the  Audit  of  Compliance  with  Requirements  for  IUID  Clauses  in  Supply  Contracts,  one  of 
the  five  auditors  assigned  to  the  project  did  not  complete  a  Statement  of  Independence.  In 
addition,  for  the  Audit  of  Operational  Support  Systems  Issues,  one  of  the  three  auditors  assigned 
to  the  project  did  not  complete  a  Statement  of  Independence.  Also,  for  this  audit,  a  supervisor 
did  not  sign  a  team  member’s  Statement  of  Independence  as  required  by  the  Audit  Handbook, 
which  states  that  the  next  level  supervisor  (Project  Leader  or  Assistant  IG)  reviews  and  signs  the 
Statement  of  Independence.  By  signing  the  Statement  of  Independence,  supervisors  agree  that  it 
appears  that  no  personal  or  external  impairments  to  independence  exist. 

For  the  Audit  of  Incoming  MIPRs  at  DITCO  Scott,  a  statistician  who  the  audit  team  collaborated 
with  did  not  complete  a  Statement  of  Independence.  One  of  the  factors  that  helped  the  auditors 
select  the  sample  that  was  used  for  the  audit  was  the  statistician's  suggestions. 


Planning 

Deficiencies  in  Audit  Planning 

We  found  that  all  four  of  the  projects  reviewed  lacked  compliance  with  GAGAS  and  Audit 
Handbook  requirements  for  audit  planning.  The  deficiencies  in  audit  planning  were  caused  by  a 
lack  of: 


•  updating  the  audit  program  to  reflect  changes  made  to  the  plan  during  the  audit; 

•  obtaining  an  understanding  of  the  qualifications  of  a  specialist;  and 

•  approving  audit  plans  in  accordance  with  the  procedures  established  in  the  quality  control 
system. 

Audit  Plans  Not  Updated  to  Reflect  Changes  in  Scope 

For  two  of  the  four  projects,  the  audit  program  was  not  modified  to  reflect  a  change  in  the  audit’s 
scope.  GAGAS  7.06  states  that  auditors  must  adequately  plan  and  document  the  planning  of  the 
work  necessary  to  address  the  audit  objectives.  Also,  GAGAS  7.50  states  auditors  should  update 
the  plan,  as  necessary,  to  reflect  any  significant  changes  to  the  plan  made  during  the  audit.  In 
addition,  the  Audit  Handbook  states  if  changes  in  the  scope  of  the  audit  occur  as  the  audit 
proceeds,  the  audit  program  should  be  modified  to  reflect  the  changes. 

For  the  Audit  of  Operational  Support  Systems  Issues,  the  audit  program  was  not  modified  as 
required  by  the  Audit  Handbook  to  reflect  a  change  in  the  total  number  of  contracts  in  the 
universe  the  audit  team  used  to  pull  a  judgmental  sample.  Initially,  the  universe  contained  34 
contracts  valued  at  $25. 1  million.  However,  the  universe  changed  from  34  contracts  to  33 
contracts,  which  were  valued  at  $24.9  million. 

For  the  Audit  of  Travel  Vouchers  Through  the  Defense  Travel  System,  the  audit  program  was 
not  updated  to  reflect  a  change  regarding  whose  (civilian  versus  military)  travel  vouchers  the 
audit  team  would  review.  Management  initially  decided  that  only  the  travel  documents  of 
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civilian  personnel  would  be  reviewed,  but  it  was  later  decided  upon  to  review  the  travel 
documents  of  military  personnel  as  well. 

Qualifications  of  Specialist  Not  Assessed 

For  one  of  the  four  projects,  the  auditors  did  not  assess  the  qualifications  of  an  external  specialist 
that  assisted  in  perfonning  the  audit.  GAGAS  3.49  states  that  auditors  who  use  the  work  of 
external  specialists  should  assess  the  professional  qualifications  of  such  specialists  and  document 
their  findings  and  conclusions.  The  Audit  Handbook  states  auditors  who  use  the  work  of 
specialists  should  document  that  the  specialists  are  qualified  in  their  areas  of  specialization. 

One  of  the  factors  that  helped  the  auditors  select  the  sample  that  was  used  for  the  Audit  of 
Incoming  MIPRs  at  DITCO  Scott  was  a  statistician's  suggestions.  The  audit  team  sought 
confirmation  from  the  statistician  regarding  potential  confidence  levels,  error  rates,  and  sample 
sizes  to  be  considered  for  the  audit.  An  external  specialist’s  qualifications  should  be  assessed  to 
verify  their  professional  qualifications  in  their  field  of  work. 

Audit  Programs  Not  Approved  in  Accordance  with  Policies  and  Procedures 

For  two  of  the  four  projects,  Audit  of  Compliance  with  Requirements  for  IUID  Clauses  in 
Supply  Contracts  and  Audit  of  Operational  Support  Systems  Issues,  the  audit  program  was  not 
approved  in  accordance  with  the  Audit  Handbook.  The  Audit  Handbook  states  the  DISA  IG 
must  approve  the  written  audit  program  before  the  beginning  of  the  audit  verification  phase  by 
signing  off  on  the  plan  either  electronically  or  hardcopy  signature.  Although  there  was 
documentation  where  the  audit  approach  was  discussed  with  senior  management,  there  was  no 
evidence  of  final  approval  of  the  audit  plan  because  senior  management  did  not  sign  off  on  the 
plan  either  electronically  or  hardcopy  signature. 

Additional  Quality  Control  Policies  and  Procedures 

Inputs  to  the  quality  control  system  at  the  DISA  IG  include  independent  reference  reviews  and 
the  use  of  project  technical  checklists,  which  should  be  applied  to  most  projects.  These  measures 
help  to  ensure  that  products  issued  are  accurate,  complete,  and  logical,  and  provide  reasonable 
assurance  that  the  audit  organization  has  adopted  and  is  following  applicable  auditing  standards, 
and  has  established  and  is  following  adequate  audit  policies  and  procedures. 

For  three  of  the  four  projects  we  reviewed,  we  identified  several  deficiencies  related  to  the  audit 
organization’s  independent  report  referencing  process  and  use  of  project  quality  control 
checklists-perfonnance  audits.  The  majority  of  the  deficiencies  revolved  around  the  independent 
reference  review  process,  which  can  have  an  adverse  effect  on  the  overall  process. 

Deficiencies  in  the  Independent  Reference  Review  Process 

The  Audit  Handbook  provides  policy  and  guidance  for  quality  control  independent  referencing 
reviews  of  audits  the  AIGA  conducts.  It  implements  portions  of  GAGAS  on  professional 
judgment,  quality  control,  and  reporting.  The  Audit  Handbook  states  that  independent 
referencing  is  an  integral  part  of  the  audit  quality  control  process  that  helps  to  ensure  that  the 
draft  and  final  reports  are  accurate  and  adequately  supported  by  the  audit  documentation. 
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For  three  of  the  four  projects,  we  identified  several  instances  where  DISA  IG  auditors  did  not 
comply  with  the  DISA  IG’s  IRR  policies  and  procedures  for  perfonnance  audits.  The  following 
table  specifies  the  noncompliances  that  were  identified. 


Audit  Project 

Listing  of  Deficiencies  Identified  for  the  IRR  Process 

Audit  of  Compliance 
with  Requirements  for 
IUID  Clauses  in  Supply 
Contracts  (Project  No. 
2010-H-304) 

•  AIGA  did  not  sign  IRR  certification  for  the  draft  report. 

•  Performance  Branch  Chief/Project  Leader  did  not  sign  the  IRR 
certification  prior  to  the  issuance  of  the  draft  report.  The 
Chief/Project  Leader's  electronic  signature  was  affixed  on 

June  9,2011.  The  date  of  the  draft  report  was 

December  7,  2010. 

•  The  independent  reference  reviewer  did  not  note  on  the  IRR 
Sheet  (draft  report)  that  the  audit  program  was  not  properly 
completed,  and  signed  by  the  Assistant  IG  and  Project 

Leader.  In  addition,  the  independent  reference  reviewer  did 
not  verify  that  an  approved  written  audit  program  existed. 

•  The  Project  Leader  did  not  ensure  that  the  underlying  project 
documentation  supporting  the  report  was  reviewed  before  the 
IRR  began. 

Audit  of  Operational 
Support  Systems  Issues 
(Project  No.  2010-H- 
303) 

•  The  independent  reference  reviewer  did  not  verify  that  an 
approved  written  audit  program  existed. 

•  The  independent  reference  reviewer  did  not  note  that  some  of 
the  project  documentation  did  not  have  evidence  of 
supervisory  review. 

•  Project  Leader  did  not  ensure  that  the  underlying  project 
documentation  supporting  the  report  was  reviewed  before  the 
IRR  began. 

•  AIGA  did  not  sign  IRR  certification  for  the  draft  report. 

•  AIGA  and  the  Project  Leader  did  not  sign  IRR  certification  for 
the  final  report. 

•  The  final  report  was  not  fully  referenced.  Specifically,  the 
cross-referenced  final  report  did  not  contain  the  Management 
Comments  (the  sections  after  each  individual  finding  was 
discussed). 

Audit  of  Travel 
Vouchers  Through  the 
Defense  Travel  System 
(Project  No.  2009-H- 
301) 

•  The  AIGA  did  not  sign  the  IRR  certification  for  the  final 
report. 

Reference  Reviews  at  the  Regional  Office 

Due  to  limited  staff  assigned  to  the  regional  office,  the  office  did  not  conduct  IRRs.  The 
Regional  IG  supervised  the  audit  work,  performed  reference  reviews  for  the  audit  reports,  and 
ensured  quality  control  on  all  projects. 
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For  the  one  project  we  reviewed  at  the  regional  office,  the  Audit  of  Incoming  MIPRs  at  DITCO 
Scott,  we  identified  areas  within  the  reference  review  process  that  need  improving  to  ensure  that 
audit  reports  are  fully  supported.  For  example,  we  identified  instances  where  references  used  to 
support  the  audit  report  lacked  pertinent  infonnation  and  further  explanations  were  required. 
Although  these  instances  were  noted,  they  did  not  make  the  audit  report  unreliable;  an 
independent  evaluation  of  the  completeness  and  accuracy  of  the  evidence  used  to  support  the 
report  may  have  revealed  the  reference  deficiencies  we  noted.  Examples  of  the  reference 
deficiencies  included: 

•  summary  workpaper  (Purpose  section)  used  to  show  analysis  perfonned  for  both  of  the 
audited  entities  only  identified  one  entity,  not  both; 

•  an  example  used  to  support  a  minor  concern  the  auditors  identified  was  not  referenced; 

•  numbers  used  in  a  table  in  the  report  were  not  found  in  the  reference  provided;  and 

•  a  reference  provided  did  not  support  the  statement  in  the  report. 

Use  of  Project  Quality  Control  Checklists 

For  one  of  the  four  audits  we  reviewed,  the  Audit  of  Operational  Support  Systems  Issues,  the 
Project  Quality  Control  Checklist  was  not  signed  by  the  Branch  Chief.  Supervisors  and  team 
leaders  use  the  Project  Quality  Control  Checklists  throughout  the  course  of  audits  as  a  reminder 
of  GAGAS  requirements  for  project  planning,  supervision,  project  documentation,  and  reporting. 
The  Audit  Handbook  states  that  at  the  conclusion  of  each  project,  the  checklist  is  to  be  signed  by 
the  Branch  Chief  and  the  Auditor-in-Charge.  The  Branch  Chiefs  signature  confirms  that  they 
have  completed  the  checklist  and  all  requirements  of  the  checklist  have  been  met. 

Recommendations,  Management  Comments,  and  Our 
Response 

Recommendations 

We  recommend  that  the  Director,  DISA: 

4.  Take  action  to  improve  the  audit  organization’s  understanding  and  compliance  of  the 
following  GAGAS  standards:  professional  judgment,  supervision,  audit  evidence, 
audit  documentation,  reporting  requirements,  performing  and  reporting  on  nonaudit 
services,  independence,  and  planning. 

Management  Comments 

The  Inspector  General,  DISA  concurred.  In-house  training  will  be  provided  in  coordination  with 
updates  to  the  Audit  Handbook. 

Our  Response 

The  management  comments  are  responsive.  We  request  the  Inspector  General,  DISA,  to  provide 
us  with  a  copy  of  the  training  syllabus  and  curriculum  to  ensure  ourselves  all  standards  covered 
by  this  recommendation  are  adequately  addressed. 
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5.  Reevaluate  the  audit  organization’s  goal  to  complete  audits  within  180  days.  While 
we  cannot  definitively  conclude  that  the  180-day  timeframe  resulted  in  the  significant 
deficiencies  and  additional  deficiencies  we  identified,  this  timeframe  may  not  be 
reasonable  and  may  have  an  effect  on  the  audit  organization’s  operations  and  ability 
to  comply  with  GAGAS. 

Management  Comments 

The  Inspector  General,  DISA  concurred.  The  current  goal  of  completing  audits  within  180  days 
will  be  reevaluated. 

Our  Response 

The  management  comments  are  responsive.  We  request  the  Inspector  General,  DISA,  to  provide 
us  with  a  copy  of  the  evaluation  plan  for  audit  completion  timeframes. 


6.  Ensure  audit  management  incorporates  guidance,  such  as  the  new  format  for 
presenting  summary  finding  paragraphs  in  audit  reports,  and  any  other  audit  and 
reporting  practices  that  have  already  been  implemented,  into  the  Audit  Handbook. 

Management  Comments 

The  Inspector  General,  DISA  concurred.  Guidance  from  senior  management  will  be 
incorporated  in  the  next  update  to  the  Audit  Handbook. 

Our  Response 

The  management  comments  are  responsive.  When  completed,  we  request  the  Inspector  General, 
DISA,  to  provide  us  with  a  copy  of  the  revised  Audit  Handbook. 
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Appendix  D.  Summary  of  Interview  Results 
Relating  to  DISA  IG  Audit  Policies  and  GAGAS 

We  interviewed  nine  staff  members  of  the  DISA  IG  audit  organization  to  detennine  their 
knowledge  of  DISA  IG  audit  policies  and  GAGAS.  The  interviews  consisted  of  questions 
related  to  the  DISA  IG  audit  policies  and  GAGAS,  fieldwork  standards,  and  reporting  standards. 
A  summary  of  the  results  of  the  responses  received  follows: 


Areas  Pertaining  to  DISA  IG  Audit  Division 
Policies  and  GAGAS  Standards 

Responses  to  Questions 

1.  Awareness  of  DISA  IG  Audit  Policies 

All  staff  were  aware  of  the  audit  policies. 

2.  Compliance  with  GAGAS 

Most  staff  stated  that  their  work  complied  with 
GAGAS  standards. 

3.  Independence 

Most  staff  did  not  encounter  any  external  or 
organizational  independence  impairments 
when  perfonning  their  work. 

All  staff  stated  that  they  did  not  perfonn  any 
nonaudit  services  that  could  impact 
independence. 

4.  Competence 

Staff  responses  indicated  that  the  competency 
requirement  was  fulfilled. 

5.  Quality  Control  and  Assurance 

Depending  on  years  of  auditing  experience 
and  length  of  employment  at  the  DISA  IG, 
answers  varied  from  extensive  to  minimal 
understanding  of  quality  control  procedures. 

6.  Planning  (Key  Decisions) 

Staff  involved  with  audit  planning  documented 
key  planning  decisions  and  communicated  with 
the  client  throughout  the  planning  phase. 

7.  Planning  (Fraud) 

Staff  perfonned  risk  assessments  for  the  audit 
programs. 

8.  Supervision 

All  staff  stated  that  they  received  or  provided 
adequate  supervision. 

9.  Audit  Documentation 

Staff  provided  examples  of  processes 
perfonned  to  ensure  that  audit  reports  are 
properly  supported. 

10.  Evidence 

Staff  provided  examples  of  actions  to  ensure 
that  audit  evidence  is  supported  in  the  final 
report. 

11.  Reporting  (Timeliness) 

The  audit  organization’s  goal  is  to  complete 
audits  within  180  days. 
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Appendix  E.  Scope  and  Methodology 

We  reviewed  the  adequacy  of  the  DISA  IG  audit  organization’s  compliance  with  their  quality 
control  policies,  procedures,  and  GAGAS.  We  reviewed  three  audits  at  DISA  IG  Headquarters 
and  one  audit  at  the  Regional  Office. 

We  reviewed  the  adequacy  of  the  design  of  policies  and  procedures  that  the  DISA  IG  audit 
organization  established  to  provide  reasonable  assurance  of  compliance  with  GAGAS  in  the 
conduct  of  its  audits  and  attestation  engagements.  The  DISA  IG  Audit  Handbook,  July  2007 
version,  was  the  policy  and  guidance  document  that  was  reviewed. 

In  perfonning  our  review,  we  considered  the  requirements  of  quality  control  standards  and  other 
auditing  standards  contained  in  the  2007  Revision  of  GAGAS  issued  by  the  Comptroller  General 
of  the  United  States.  GAGAS  3.56  states: 

The  audit  organization  should  obtain  an  external  peer  review  sufficient 
in  scope  to  provide  a  reasonable  basis  for  determining  whether,  for  the 
period  under  review,  the  reviewed  audit  organization’s  system  of 
quality  control  was  suitably  designed  and  whether  the  audit 
organization  is  complying  with  its  quality  control  system  in  order  to 
provide  the  audit  organization  with  reasonable  assurance  of  conforming 
with  applicable  professional  standards. 

We  performed  this  review  from  March  2011  through  October  2011  in  accordance  with  standards 
and  guidelines  established  in  the  March  2009  Council  of  the  Inspectors  General  on  Integrity  and 
Efficiency  “Guide  for  Conducting  External  Peer  Reviews  of  Audit  Organizations  of  the  Federal 
Offices  of  Inspector  General.”  In  performing  this  review,  we  assessed,  reviewed,  and  evaluated: 

•  the  adequacy  of  the  design  of  policies  and  procedures  that  the  DISA  IG  audit 
organization  established  to  provide  reasonable  assurance  of  compliance  with  GAGAS  in 
the  conduct  of  its  audits  and  attestation  engagements; 

•  staff  understanding  of  quality  control  policies  and  procedures; 

•  independence  documentation  and  records  of  continuing  professional  education  to  verify 
the  measures  that  enable  the  identification  of  independence  impairments  and  maintenance 
of  professional  competence; 

•  independence  safeguards  for  nonaudit  services;  and 

•  four  audit  reports  and  related  project  documentation  to  determine  whether  established 
policies,  procedures,  and  applicable  standards  were  followed. 

We  selected  four  reports  from  a  universe  of  14  reports  issued  by  the  DISA  IG  during  FY  2009, 
FY  2010,  and  until  March  FY  2011.  We  tested  the  four  projects  for  compliance  with  the  DISA 
IG  audit  organization’s  system  for  quality  control  for  audits  and  attestation  engagements.  Also, 
we  perfonned  a  minimal  review  of  the  project  documentation  for  one  additional  project  in  which 
a  Fetter  Report  was  issued. 
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In  selecting  the  reports,  we  worked  with  the  DISA  IG  audit  organization  to  establish  the  universe 
of  reports  that  were  issued  during  the  review  period.  We  then  selected  reports  that  were 
representative  of  the  types  of  reviews  completed.  The  DISA  IG  did  not  issue  any  financial  audit 
reports  during  the  review  period. 

The  following  table  identifies  the  specific  reports  we  reviewed  at  both  audit  offices.  The  “Type 
of  Review”  column  contains  information  that  was  determined  by  the  report  GAGAS  compliance 
statement  and/or  type  of  review  described  in  the  final  report. 


Audit  Office 

Report  Title,  Number,  Issue  Date 

Type  of  Review 

DISA  IG  Headquarters 

2011-02,  “Audit  of  Compliance  with 
Requirements  for  Item  Unique 
Identification  Clauses  in  Supply 
Contracts,”  February  3,  201 1 

Perfonnance 

2011-01,  “Audit  of  Operational 

Support  Systems  Issues,”  December 

17, 2010 

Perfonnance 

2009-06,  “Audit  of  Travel  Vouchers 
Through  the  Defense  Travel  System,” 
August  25,  2009 

Perfonnance 

DISA  IG  Regional  Office 

2009-01,  “Audit  of  Incoming  MIPRs  at 
DITCO  Scott,”  November  13,  2008 

Perfonnance 

Limitations  of  Review 

Our  review  would  not  necessarily  disclose  all  weaknesses  in  the  system  of  quality  control  or  all 
instances  of  noncompliance  because  we  based  our  review  on  selective  tests.  There  are  inherent 
limitations  in  considering  the  potential  effectiveness  of  any  quality  control  system.  Departures 
from  GAGAS  can  result  from  misunderstood  instructions,  mistakes  in  judgment,  carelessness,  or 
other  human  errors.  Projecting  any  evaluation  of  a  quality  control  system  is  subject  to  the  risk 
that  one  or  more  procedures  may  become  inadequate  because  conditions  may  change  or  the 
degree  of  compliance  with  procedures  may  deteriorate. 
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Defense  Information  Systems  Agency  Comments 


DEFENSE  INFORMATION  SYSTEMS  AGENCY 

P  O  BOX  549 

FORT  MEADE.  MARYLAND  20755-0549 


Inspector  General  (IG)  jy|^  J  1  201Z 


MEMORANDUM  FOR  DEPUTY  INSPECTOR  GENERAL  FOR  POLICY  AND 

OVERSIGHT,  OFFICE  OF  THE  INSPECTOR  GENERAL, 
DEPARTMENT  OF  DEFENSE 

SUBJ  ECT:  Response  to  Department  of  Defense  Inspector  General  (DoDIG)  Draft  Report  - 
Quality  Control  Review  of  the  Defense  Information  Systems  Agency  Audit 
Organization,  dated  June  27, 2012  (Project  No.  D-201 1-DIPOAI-0 1 90.000) 


1.  The  DISA  IG  has  reviewed  the  draft  report  referenced  above  and  provides  comments  as 
enclosed.  We  thank  the  Department  of  Defense  Inspector  General  audit  team  for  the 
opportunity  to  participate  in  this  peer  review. 

2.  We  look  forward  to  working  with  you  and  your  staff  in  the  future.  Any  questions  your  staff 
have  concerning  matters  for  the  recommendations  should  be  directed  to  Ms.  Barbara  Wright, 
(301)  225-6218,  barbara.s.wright.civ@mail.mil.  Please  do  not  hesitate  to  contact  her  should 
you  need  to  further  discuss  this  matter 


Enclosure  a/s 


26 


Defense  Information  System  Agency  (DISA)  Office  Inspector  General  (OIG)  responses 
to  the  Draft  Report  for  Quality  Control  Review  of  the  Defense  Information  Systems 
Agency  Audit  Organization,  June  27, 2012 
(Project  No.  D-201  l-DIPOAI-0190.000) 


DODIG  RECOMMENDATIONS: 


RECOMMENDATION  1.  Update  the  Audit  Handbook  to  include  policies  and 
procedures  that: 

l.a.  Explain  the  process  for  notifying  the  entity  management  when  an  impairment  to 
independence  is  identified  after  the  audit  report  is  issued. 

DISA  IG  RESPONSE:  Concur 

DISA  IG  will  explain  the  process  for  notifying  the  entity  management  when  an 
impairment  to  independence  is  identified  after  the  audit  report  is  issued  in  the  Audit 
Handbook. 

Estimated  Completion  Date:  October  31,  2012. 


l.b.  Explain  how  the  audit  organization  documents  and  tracks  formal  continuing 
professional  education  and  training. 

DISA  IG  RESPONSE:  Concur 

DISA  IG  will  explain  how  the  audit  organization  documents  and  tracks  formal  continuing 
professional  education  and  training  in  the  Auditor  Handbook. 

Estimated  Completion  Date:  October  31,  2012. 

RECOMMENDATION  2:  Establish  a  2-year  plan  for  both  audit  offices  to  review 
audits  for  compliance  with  internal  quality  assurance  policies  and  procedures  and 
GAGAS. 

DISA  IG  RESPONSE:  Concur  with  Comment 

DISA  IG  will  conduct  its  annual  quality  assurance  assessment  in  compliance  with 
GAGAS  and  the  revised  Audit  Handbook.  Due  to  the  small  size  of  the  Audit  Division, 
an  internal  auditor  will  perform  the  quality  assurance  assessments,  and  we  will  update  the 
audit  handbook  to  show  this  change. 

Estimated  Completion  Date:  We  will  conduct  the  next  quality  assurance  review  in 
October  2012. 

FOR  OFFICIAL  USE  ONLY 
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Defense  Information  System  Agency  (DISA)  Office  Inspector  General  (OIG)  responses 
to  the  Draft  Report  for  Quality  Control  Review  of  the  Defense  Information  Systems 
Agency  Audit  Organization,  June  27, 2012 
(Project  No.  D-2011-DIPOAI-0190.000) 


RECOMMENDATION  3:  Issue  a  memorandum  to  the  recipient  of  the  Letter  Report: 
Data  Mining  of  DISA  Government  Travel  Card  Program  (Project  No.  2010-H-301), 
August  10, 2010,  to  state  that  the  nonaudit  service  provided  was  not  performed  in 
accordance  with  GAGAS. 

DISA  IG  RESPONSE:  Concur 

DISA  IG  will  issue  a  memorandum  to  the  recipient  of  the  Letter  Report:  Data  Mining  of 
DISA  Government  Travel  Card  Program  (Project  No.  2010-H-301),  August  10, 2010,  to 
state  that  the  non-audit  service  provided  was  not  performed  in  accordance  with  GAGAS. 

Estimated  Completion  Date:  August  31,  2012 

RECOMMENDATION  4:  Take  action  to  improve  the  audit  organization’s 
understanding  and  compliance  of  the  following  GAGAS  standards:  professional 
judgment,  supervision,  audit  evidence,  audit  documentation,  reporting  requirements, 
performing  and  reporting  on  non-audit  services,  independence,  and  planning. 

DISA  IG  RESPONSE:  Concur 

DISA  IG  will  provide  in-house  training  in  coordination  with  the  update  to  the  Audit 
Handbook. 

Estimated  Completion  Date:  October  31,  2012 


RECOMMENDATION  5.  Reevaluate  the  audit  organization’s  goal  to  complete  audits 
within  180  days.  While  we  cannot  definitively  conclude  that  the  180-day  timeframe 
resulted  in  the  significant  deficiencies  and  additional  deficiencies  we  identified,  this 
timeframe  may  not  be  reasonable  and  may  have  an  effect  on  the  audit  organization’s 
operations  and  ability  to  comply  with  GAGAS. 

DISA  IG  RESPONSE:  Concur 

DISA  IG  will  reevaluate  the  current  goal  of  completing  an  audit  within  180  days. 

Estimated  Completion  Date:  October  31, 2012. 


FOR  OFFICIAL  USE  ONLY 
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Defense  Information  System  Agency  (DISA)  Office  Inspector  General  (OIG)  responses 
to  the  Draft  Report  for  Quality  Control  Review  of  the  Defense  Information  Systems 
Agency  Audit  Organization.  June  27,  201 2 
(Project  No.  D-201 1-DIP0AI-0190.000) 

RECOMMENDATION  6.  Ensure  audit  management  incorporates  guidance,  such  as  the 
new  format  for  presenting  summary  finding  paragraphs  in  audit  reports,  and  any  other 
audit  and  reporting  practices  that  have  already  been  implemented  into  the  Audit 
Handbook. 

DISA  IG  RESPONSE:  Concur 

DISA  IG  will  incorporate  guidance  from  senior  management  in  the  next  update  to  the 
Audit  Handbook. 

Estimated  Completion  Date:  October  31,  2012 


FOR  OFFICIAL  USE  ONLY 
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